0

I have an open question to understand and see what all strategies can be used to do a secure download.

We have the MVC4/Javascript client invoking web api to get a Multipart data back and the UI controller fetch the data and return a FILE() back for download

The request url looks something like this: 

 http://someapplication/downloadfile/1234

where 1234 is the id of the file to be retrieved.

we are trying to add some strategy to this url, so that user cannot share this URL and let someone else download the file.

By using somekind of key to make this url unique and specific to the user?? by using referer from the browser or something else?

Any suggestions

fireholster
  • 622
  • 1
  • 9
  • 22
  • 1
    Is authentication not in place i.e. user must login to access the file? – SBirthare Jun 22 '15 at 06:43
  • we have sso in place to allow only authenticated user to have access to the application.. but other might have access to the download and we don't want the user triggering the download to share that link across. not sure if i am making any sense as i am typing it... – fireholster Jun 22 '15 at 06:48

1 Answers1

3

I usually use the Token-In-Headerapproach to make these things secure and authenticate user. So, if user share the URL with anyone, they would also need that Token-In-Header for authentication. This is how it works

  1. Generate Unique Token for each user for every Login (Just like Session Key)
  2. This Unique token will be used by Clients (for eg. Mobile App) while making File Download request, by putting Token in the Header of request
  3. At MVC end, get that token from the Header and perform any validation to authenticate the User (Securing the File Download)
Puneet
  • 2,051
  • 9
  • 17
  • 1
    Token can be added to the request as specified in this SO answer- http://stackoverflow.com/a/13515414/3748701 – Manik Arora Jun 22 '15 at 11:54
  • 1
    If SSO have been implemented using `cookies` then the application might have already been receiving the session/authentication cookie if both ajax call and the hosted application are on the same domain. In that case there is no need for header, just validate the user request in the overrided `OnAuthorization` method of the `Controller`. – Manik Arora Jun 22 '15 at 12:00